Cross-Border Data Requests: A Response to Greg Nojeim

Last week on Lawfare, Greg Nojeim responded to — and raised a set of questions about — our proposed framework for dealing with cross-border requests for stored communications. In particular, he focuses on what he calls our efforts to eliminate the probable cause finding prior to the disclosure of stored communications content by US communications service providers. He suggests that this might allow countries with insufficient privacy protections to access more data. And he implies that our reform effort is at odds with the long-standing efforts of the Digital Due Process Coalition to make warrants for content mandatory in the United States — an implication, that, as we point out below, does not at all follow from our approach.

Contrary to what Greg suggests, we believe that our framework would enhance online privacy protections, particularly as compared to the status quo. This post explains why.

First, it is important to understand how our proposed framework works. In order for another nation to even be eligible to request data directly from a provider, it must demonstrate that it satisfies basic human rights standards and has a robust — and privacy-protective — data request regime. In addition to establishing a “strong factual basis” for the request, the cross-border data request must, among other things, be approved by a judicial or otherwise independent adjudicator; be targeted to a specific person, account, or device; specify the type, time frame, and scope of data sought; be subject to minimization procedures designed to protect against the retention and dissemination of both non-relevant data and US person data; and be subject to post hoc reporting and accountability requirements. These standards reflect our conversations with a wide range of stakeholders and our efforts to build in robust privacy protections; that said, we are open to further refinement.

We envision at least three checks on the kind of requests made: first, a judge or independent adjudicator in the requesting country must sign off on the request based on a determination that the specified requirements are met; second, the provider’s compliance team will review the adequacy of the request; and third, the request will be subject to post hoc accountability mechanisms — mechanisms that do not exist in the current regime and thus add an additional layer of protection.

Many countries will not be able to satisfy all of these requirements currently. This framework — if adopted — would provide an incentive for countries to raise their standards so as to be able to benefit from the expedited access to data provisions. In other words, it could, if implemented correctly, serve to raise human rights and privacy protections in nations across the globe.

Second, as a normative matter, it is not at all clear why the US should be in the business of imposing a particular “probable cause” formulation on the rest of the world, rather than accepting other ways of satisfying a “strong factual basis” standard. It is particularly hard to justify in the situations we are talking about here: when a foreign government is seeking data of a non-US person (defined as a US citizen or legal permanent resident) who is located outside the United States and thus the only connection to the United States is the fact that the targets’ data is held by a US-based Internet Service Provider. Put bluntly, the requirement that the United States insist on a probable cause standard strikes us as imperialistic — and that is how it strikes many foreign civil society groups and foreign governments as well.

Third, it is worth noting — as Greg also points out — that his own proposal includes the very same feature that he questions in his post (one that would permit foreign governments to obtain access to communications based on a standard other than probable cause), albeit limited to those situations in which the perpetrator, victim, and location of the crime are all in the country that makes the demand for stored content. It is not at all clear to us why that would be permissible if the key actors are all local, but impermissible simply because a local-based perpetrator works with a foreign conspirator that resides across that state’s national borders.

Fourth, there is absolutely no connection between this proposal and the separate efforts to reform the Electronic Communications Privacy Act to require the US government obtain a warrant based on probable cause whenever it accesses the content of stored communications — efforts that we both strongly support. Such efforts are in fact consistent with our position that no government — not the United States or any other state — should obtain access to the contents of stored communications absent independent authorization and a strong factual basis. Such a reform holds the US government to US standards when it seeks to compel the contents of stored communications and should be strongly supported. That, however, does not mean that every other nation must adopt this exact (American) legal standard, so long as they also have a mechanism for judicial or independent authorization and a strong factual basis for the request.

Fifth, the bulk of the world’s data will not always reside in American hands, and we ought to think carefully about what rules should govern cross-border data requests as Internet demographics change. If, for example, the US government were to seek emails critical to the prosecution of a local crime, but the emails happened to be held by a foreign-based company, would we want the US to have to ask the foreign government for access to the data, or would we want the US to be able to serve a warrant on the foreign-based company directly (after proving to a US judge that there is probable cause)? We think the latter, and that is why we built a reciprocity requirement into our framework.

Sixth, and finally, it is critical to weigh the costs of simply maintaining the status quo. As we detailed in our previous post, foreign nations currently wait an average of 10 months to get access to the content of communications from US-based service providers, given, among other problems, the time-consuming nature of the current mutual legal assistance treaty process. This is an obvious source of frustration, particularly when the only US connection to the criminal activity being investigated is the happenstance that it is held by a US-based provider.

Absent a solution to this problem, we are likely to see increased data localization laws (requiring that data be stored locally); increased reliance on other surreptitious means of getting access to data; and increased demands for backdoor access to encrypted data. Each of these responses will decrease privacy protections in the long-run. In particular, forced data localization ensures that foreign governments get access to the data based on their own standards — without any requirement of probable cause or judicial authorization, and without any of the privacy-enhancing incentives that our framework provides.

* * *

This is one of those rare moments when companies, civil society, and academics have a chance to help shape a system before it is too late. Insisting on the status quo will almost certainly lead to long-term erosion of privacy protections, loss of business to US companies, and an undercutting of the efficiency benefits of a globally-connected Internet — as foreign governments increasingly demand that their residents and/or nationals store their data locally so as to preserve access to the data. By making the relatively minor and sensible reforms that we have proposed (and that we think Greg largely agrees with), we have a chance to convince countries to agree to a regime for data access that has human rights protections baked in — and that will actually raise, not lower, privacy protections across the globe.